Privacy Advisor

VIEWPOINT: New Wave of Class Action Privacy Litigation Loses Some of Its Momentum

October 1, 2007

VIEWPOINT: New Wave of Class Action Privacy Litigation Loses Some of Its Momentum

Lucy L. Thomson, Esquire, CIPP/G

In a ruling that has the potential effect of nullifying a Web site's privacy policy and rewriting the e-discovery rules for litigation, a federal court has ordered Web site owners to capture in audit logs and produce information about users who had searched for or downloaded certain software.

The case involves a lawsuit alleging copyright infringement filed by the motion picture studios Columbia Pictures Industries against the owners of Torrentspy, a Web site that made file- sharing software available to users to download copies of movies and other materials. The complaint alleges that the Web site enables, encourages and profits from "massive online piracy of plaintiffs' copyrighted works through the operation of their Internet Web site." The Web site makes "dot-torrent" files available to users, software that facilitates downloading of files through peer-to-peer file-sharing.

In a discovery dispute, a federal magistrate judge has issued a decision that may significantly alter the ability of Web sites to protect the privacy of its users. The Torrentspy privacy policy published on its Web site explicitly stated that the site "will not collect any personal information about you [the user] except when you [the user] specifically and knowingly provide such information." While the site reserved the right at any time to modify or update the policy, the policy stated that it would the changes so that users are always aware of what information the site collects, how the information is used, and under what circumstances the information is disclosed."

The data went through and was stored temporarily in the Random Access Memory (RAM) of defendants' Web server for approximately six hours. Logging information about Web site users was contrary to the Web site's privacy policy and not part of its business operations. The logging functionality of the Web server used to operate the Web site had not been enabled. Defendants testified at a hearing that logging is "not necessary to, or part of defendants' business operations."

The decision presents a number of difficult issues that privacy professionals must now consider when drafting an organization's privacy policy. It should be noted that the court rejected the defendant's arguments about the privacy of users based on the Web site's privacy policy, the First Amendment, and multiple federal statutes. As the court's reasoning illustrates, it is critically important to be explicit about what the privacy policy covers, particularly the technical aspects of the operation of the Web site. Excerpts from the court's findings set forth below with respect to privacy are illustrative:

  • "Defendants cannot insulate themselves from complying with their legal obligations to preserve and produce relevant information within their possession, custody or control and responsive to proper discovery requests, by reliance on a privacy policy -the terms of which are entirely within defendant's control."
  • The magistrate judge observed that it is not clear that defendants' current privacy policy actually prohibits the retention and production of the Server Log Data. Defendants have presented no evidence as to whether or how the term "personal information" is defined in the privacy policy. "As an IP address identifies a computer, rather than a specific user of a computer, it is not clear that IP addresses, let alone the other components of the Server Log Data in issue, are encompassed by the term 'personal information' in defendants' privacy policy." Only an Internet Service Provider can link a particular IP address to an individual subscriber.
  • On appeal, the district court emphasized that the privacy interests of defendants' users "are, at best, limited," adding that to the extent the users are engaged in copyright infringement, the First Amendment affords them no protection whatsoever." That court further noted that "because users openly disclosed their IP addresses as part of the BitTorrent file transfer process, the Court is not persuaded … that the retention of the IP addresses of users who obtain dot-torrent files from defendant's website will "chill" their speech."
  • The magistrate judge emphasized that plaintiffs did not request the names or other identifying information about Web site users. As a practical matter, the court issued a protective order to ensure that the information about users is anonymous (users'IP addresses were masked or encrypted); therefore the court concluded that users' privacy and First Amendment rights were not violated.

Similarly, the case presents complex and far-reaching issues for litigators and experts responsible for drafting technical contracts and agreements. At issue in the litigation was a technical interpretation of Rule 34(a) of the Federal Rules of Civil Procedure, which provides for the discovery of documents or electronically stored information - "including writings, drawings, graphs, charts, photographs, sound recordings, images, and other data or data compilations stored in any medium from which information can be obtained." The court addressed several novel and complex issues and questions.

  • Is the data "electronically stored information" within the meaning of Fed .R.Civ.P. 34(a)? In affirming the magistrate's decision, the district court held that with respect to obtaining data from RAM, "Rule 34 requires no greater degree of permanency from a medium than that which makes obtaining data possible."
  • Does this decision require defendants to create data for discovery? Does the court's decision that defendants must capture in audit logs, store and produce information about users who had searched for or downloaded certain software, amount to an order to create new data, particularly in light of the fact that logging information about Web site users was contrary to the Web site's privacy policy and not part of its business operations?
  • Does the decision change the requirements for data retention and disposition? Traditionally, courts have required entities in litigation to preserve potentially relevant information by not deleting or destroying it. In this decision, defendants were affirmatively required to take steps to capture and store transactions they did not previously retain or want for their business operations.
  • Was the data in RAM within the "possession, custody or control" of defendants? Of particular significance to the court was the fact that the Web site owners entered into a contract with a third party to operate their Web server. The court found that because of this contractual relationship, the information in RAM is "within defendants' possession, custody or control by virtue of defendants' ability to manipulate at will how the data in issue is routed."

The Electronic Frontier Foundation (EFF) and the Center for Democracy & Technology filed an amicus brief in the appeal before the federal district court "to overturn a dangerous ruling that would require an Internet search engine to create and store logs of its user activities." EFF pointed out that the decision would undermine the right to read and speak anonymously online.

In a June 25, 2007 press release, EFF staff attorney Corynne McSherry issued a statement. "This unprecedented ruling has implications well beyond the file sharing," McSherry said. "Giving litigants the power to rewrite their opponent's privacy policies poses a risk to all Internet users." (Available at www.eff.org/ legal/cases/torrentspy/EFF_amicus.pdf.)

The EFF brief noted the far-reaching effect this decision could have on the technology operations of organizations: "This decision could reach every function carried out by a digital device. Every keystroke at a computer keyboard, for example, is temporarily held in RAM, even if it is immediately deleted and never saved. Similarly, digital telephone systems make recordings of every conversation, moment by moment, in RAM."

On appeal, the magistrate's decision was affirmed by the United States District Court for the Central District of California. Following these federal court decisions, Torrentspy changed its Web site and posted the following notice to users:

Torrentspy Acts to Protect Privacy

"Sorry, but because you are located in the USA you cannot use the search features of the Torrentspy.com website. Torrentspy's decision to stop accepting US visitors was NOT compelled by any Court but rather an uncertain legal climate in the US regarding user privacy and an apparent tension between US and European Union privacy laws."
(See www.torrentspy.com/US_ Privacy.asp.)

No doubt contrary positions to those decided in the Central District of California will be put forth in future cases in other federal courts. In light of these decisions, businesses should carefully document their business model with respect to the collection and use of data and information, and develop a data management and data retention plan. A longstanding tenet of discovery is that organizations from which discovery is sought are not required to create data that does not otherwise exist. Advance planning and coordination among privacy professionals, IT and document management experts, and legal counsel, are required to avoid adverse rulings while cases such as this one are being litigated. The case is Columbia Pictures Industries v. Bunnell, No. 06-cv-01093 FMC-JCx (C.D. Calif. August 24, 2007).

Lucy Thomson, CIPP/G, is a Senior Principal Engineer, Information Security, and Privacy Advocate at Computer Sciences Corporation (CSC), a global IT company, where she works on teams building information systems for large organizations. She was appointed Consumer Privacy Ombudsman by two federal courts to oversee the sale of sensitive electronic consumer records in bankruptcy cases. A career U.S. Department of Justice attorney from 1977-2001 and a former criminal prosecutor, she has extensive experience as both a litigator in complex federal civil and criminal cases and as an expert in new technology and electronic discovery. She earned an M.S. degree from Rensselaer Polytechnic Institute in 2001, and her J.D. degree from Georgetown University Law Center.